Geek's' 9/11 analysis sheds light on NSA activities

Geek's' 9/11 analysis sheds light on NSA activities

Saturday, May 20, 2006
John Mangels
Plain Dealer Science Writer
Valdis Krebs is pretty sure he knows why the super-secret National
Security Agency is rooting around in the nation's phone-calling
records. It's the same sort of electronic sleuthing he did following
9/11 to uncloak some of al-Qaida's secrets.

Krebs isn't a Fort Meade spook; he's a Cleveland-based management
consultant and self-confessed "techno-geek" whose specialty is the
esoteric field of network analysis. That's a computer-aided method for
tracing where and how information moves within an organization, and
who's connected to whom.

Usually Krebs works with Fortune 500 companies. But terrorists operate
in networks like businesses do. Both groups have obscure but important
communications channels and alliances among their members that network
analysis might reveal. Maybe Krebs could learn something about how the
19 hijackers pulled off the attacks.

Shortly after the Sept. 11, 2001, attacks, Krebs started plugging
information gleaned from news accounts about the terrorists into his
computer and sifting it with InFlow, the network analysis software he
developed.

By mid-October 2001, linkages began to appear on his screen like the
wispy strands of a spider's web -- a pattern called the "emergent
organization."

Mohamed Atta, one of those who commandeered American Airlines Flight
11, the first jet to hit the World Trade Center, was clearly a
ringleader. Atta's "node" -- geek speak for an individual's position
within the network -- had the most and the closest connections to the
other terrorists. It looked like the map of an airline hub, with dozens
of routes passing through a central city. That marked Atta as an
information broker and a key to the 9/11 operation.

Many of the tighter relationships were among the men trained to fly the
four hijacked planes. That was risky, because if investigators had
discovered one of the pilots beforehand, the ties could have led to the
other three and possibly disrupted the entire plan of attack.

Long a staple in the academic and business world, network analysis has
begun popping up in new and unusual places. Its best-known new
application is enabling the adolescent hook-ups on social Web sites
such as Friendster and MySpace. Public health officials have used the
approach to examine how infectious diseases spread.

Law enforcement has gotten into the game, too. Cops, who used to plot
mob connections with string and tacks on a bulletin board, now tap
network analysis software to plumb the structure of criminal outfits
and narrow the search for fugitives.

Vegas casino operators use it to check whether employees have hidden
ties to crooks. The technique reportedly played a role in the U.S.
Army's capture of Saddam Hussein, as well as helping police tighten the
net around the sniper duo who paralyzed the Washington, D.C., area in
2002.

Last week, USA Today disclosed that the NSA had obtained several years'
worth of computerized domestic call lists -- no names, just numbers and
talk times -- from BellSouth, AT&T and Verizon, and is using network
analysis to process the data. BellSouth and Verizon subsequently have
denied providing bulk information to the NSA, even as customers filed a
$200 billion federal lawsuit against all three phone companies alleging
privacy violations.

"There is an insatiable desire in the intelligence community to compile
data on Americans," said Jonathan Turley, a George Washington
University law professor whose specialty is national security and
constitutional issues.

"People don't realize how much of their lives, tastes, prejudices can
be assembled through these types of records. We are fast becoming a
fish bowl society. Most citizens don't recognize what a truly
transformative point we're at."

Agency may be pairing

records with other data

Privacy concerns aside, network analysis experts disagree about how
helpful one massive database like those billions of calling records
would be in the hunt for terrorists. Some worry that the inevitable
false hits from sifting so much information would waylay investigators
and tarnish innocent people.

Questions about the value of a single database may be moot, however. To
refine its pattern-spotting, the NSA likely is pairing phone records
with information from other federal agencies, not to mention
commercially available databases like the ones direct-mailers use to
identify potential customers -- a more expansive data-mining effort
than has previously been revealed.

"They must be," former NSA director Bobby Ray Inman said, although he
emphasized he has no knowledge of the agency's current activities.

"All you're looking for here is what you turn around and use to
actually target," said Inman, who ran the spy agency from 1977 to 1981.
"The idea that they've got all this information the phone companies
have provided -- NSA couldn't begin to deal with it. It's just a huge
volume. You're swamped in data that has no value."

Records of credit card usage, for example, could shed some light on
what's behind a sudden flurry of phone calls within a suspicious group.
Maybe investigators would want to know if anyone's using a credit card
to rent large trucks or buy one-way airline tickets. They could set the
appropriate triggers on the software, let it loose to prowl through the
databases, and see whether any alarms go off.

Has the NSA tried to acquire credit-card databases like it did with
phone records? "That's not something we can comment on," said Julie
Davis, a spokeswoman for credit card giant Bank of America.

It's possible the spy agency also is analyzing large amounts of
Internet traffic. Newsweek and several other news organizations
reported this week that a veteran AT&T technician, Mark Klein,
discovered specially constructed and equipped rooms at several AT&T
offices on the West Coast that allowed the NSA to tap into e-mail and
other Web data flow. Klein has provided testimony that the Electronic
Frontier Foundation is using in a privacy lawsuit against AT&T.

How it's applied

to businesses

To understand network analysis' potential as a terrorism-tracking tool,
it helps to look at how it's applied by a business consultant like
Krebs to diagnose a company.

Say that Acme Corp. wants to figure out why one of its divisions
regularly breaks sales records, while another hasn't come up with a
winning product in years. With Acme's permission, a network analyst
would examine the flow of information involving Acme employees --
e-mails, phone call logs, records of face-to-face meetings, memos --
and enter the findings into a software program.

The resulting computer map would show the relationships among Acme
workers, and with people outside the company.

Network analysis not only judges how tightly or loosely people are
connected -- which says something about the efficiency of information
flow -- but also identifies "brokers" who hear from lots of people and
decide what to pass on; "boundary spanners," the innovators who reach
out to new and potentially helpful people outside the immediate group;
and "peripheral players" who sit at the margins without much contact.

Considered this way, in terms of where ideas come from, who the key
players are and how well people cooperate, Acme's internal structure
probably looks a lot different than it does on the company's
organization chart.

Fleshing out how

terrorists organize

How does any of this apply to anti-terrorism efforts? Obviously
al-Qaida members aren't going to willingly give up anything about their
organization the way Krebs' business clients do.

But with a starting point -- a suspect or two and some record of whom
they communicate with over time -- network analysis can begin to flesh
out something about who's in the organization and what their roles
might be.

Krebs and others prefer this bottom-up approach of starting small with
a known target and working outward, building up contact information in
a "snowball sample," rather than fishing in a giant and confusing ocean
like the database of the entire country's phone-calling records.

Others think even a database as vast as the nation's phone records
could yield something useful.

"The tools are getting better. The ability to handle big databases is
getting better," said Stanley Wasserman, professor of sociology,
psychology and statistics at Indiana University and chief scientist at
Visible Path, a network analysis software firm. "The NSA has network
analysts working for them. I know some of them. Anyone who says the NSA
can't learn anything from phone records is naive."

A sophisticated analysis might even suggest some strategies for
disrupting a terrorist cell. Someone who shows up on the network
analysis map as the nexus for lots of chatter from across the
organization would at the very least merit deeper surveillance.

Tapping into that active "node" would have bigger potential payoff than
eavesdropping on someone at the margins.

If intelligence showed an attack was imminent, taking out the
terrorists that network analysis targeted as the central planners or
key information conduits could topple the plot.

There's a danger, though, in extrapolating too much from what you see
on a computer screen, of thinking that people -- terrorists -- react as
predictably as the digital knights and bishops in a game of online
chess.

"We're so enamored of technology," Krebs said. "I'm a techno-geek but I
know that technology by itself is often useless. It's more an aid in
thinking. You have to have a good mix of technology and sociology to
track terrorists or understand an organization."

.